Many of the high-profile attacks you've read about lately have come from the same place - the Syrian Electronic Army (SEA). How are they taking down high-profile sites over and over again? Good, old-fashioned phishing attacks. From Sophos:
The suspicion is that the hackers have been targeting potential victims with phishing emails. For instance, if the attackers were to send a convincing looking email to a news agency, claiming to be a link to a breaking news story, recipients might be fooled into clicking on it and being tricked into entering their Twitter account details.
And the Onion just published a detailed piece detailing how their Google Apps accounts were phished in a two-phase attack:
Once the attackers had access to one Onion employee’s account, they used that account to send the same email to more Onion staff at about 2:30 AM on Monday, May 6. Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials. Two staff members did enter their credentials, one of whom had access to all of our social media accounts.
The Onion piece provides rote advice: always use different passwords on apps, and always use strong passwords. But we know from decades of experience with passwords that individuals just don't follow strong password hygiene unless they have tools that make it easier to have a strong password than a weak one.
The other advice offered by the Onion is to use an app such as HootSuite to remove password-based access to accounts. This is good advice for Twitter and Facebook, but there isn't a point solution for each app that you use (and if you're anything like us, you're using dozens).
The best remedy to phishing attacks is to take passwords completely out of your users hands, and mediate all application access through an authentication gateway like Meldium. When you combine this with two-factor authentication, you have a secure front across all of your shared apps that even determined hackers can't compromise. A simple password manager isn't enough - you're really only protected once you've moved all of your passwords off of low-security devices (like employee email accounts, desktops, and browsers) and into encrypted, secure, authenticated storage. And trust us, your team won't miss typing in their passwords every day.